Thursday, March 6, 2014

November 9-21, 2011 - Was Crucial Evidence of the Criminal IT Case Intentionally Destroyed by DuPage Forest Preserve during these Twelve Days?


Part OnePart TwoPart ThreePart FourPart FivePart SixPart SevenPart EightPart NinePart Ten

On Nov. 9, 2o11, an undisclosed subcontractor of  JRM Consulting, Inc. was sent by the 
Forest Preserve District of DuPage County (FPDDC) to pick up equipment from Alamach Technology, Inc. 

Under contract, Alamach had provided all IT archives, email back-up, and disaster recovery for the FPDDC off-site in compliance with the Federal Regulations on Civil Procedures and the 2002 Homeland Security Act

This equipment contained data that would be described as "the most crucial evidence in the case" of Arif Mahmood, former owner of Alamach. Mahmood would later be charged with 37 felony counts in alleged scheme to steal from the FPDDC. Also charged in this case were the District's former director of its IT department, Mark McDonald, and the department manager, David Tepper, each with 142 felony counts.

JRM had been paid $66,000 by the FPDDC in 2011 to conduct a secret internal forensic investigation of its IT department. 

On Dec. 3, 2013, Mahmood's attorney, former federal prosecutor Patrick Collins, filed a motion to dismiss his client's case at the Henry J. Hyde Judicial Office Facility in Wheaton. Collins wrote:
Quite simply, the FPDDC's failure to preserve the most crucial evidence in the case has destroyed any meaningful opportunity Mahmood has to defend himself against the charges alleged. Because of this clear and irreparable violation of Mahmood's right to due process, the Court should dismiss the indictment as to Mahmood.
Citizen watchdogs take it to another level, claiming that the off-site archives may have contained incriminating information of an individual or individuals connected with the FPDDC. This information, they allege, may have been at the heart of the 2011 covert internal investigation. 

Watchdogs say such damning material would explain: 

- why events related this story went into motion following a Feb. 2, 2011 purchase order to pay Alamach for off-site email migration had the hand-written question: Are all users on Archiving

- why the State's Attorney's office wasn't brought in on Day One

- why a politically-connected IT vendor with no license to conduct forensic criminal investigations was contracted to conduct the covert investigation

- why political strategists with close ties to elected Republican officials in DuPage County were contracted to handle crisis communications six days prior to alerting the State's Attorney's office

- why two IT subcontractors billed 18.5 hours the day after Mahmood's equipment containing off-site archives was seized

- and, why crucial evidence was destroyed, perhaps intentionally prior to alerting law enforcement.

Watchdogs wonder if individuals at the FPDDC had something to hide, if it had to do with the 2009 emails, and if McDonald, Tepper and Mahmood were in the way. 

Turn Off Cell Phone for "Full and Undivided Attention"

The FPDDC could not request IT staff to delete public records without raising questions or being told that do so required permission from the State followed by a waiting period.

According to an email released through FOIA, McDonald had apparently been told on or before Oct. 26, 2011 to 
specifically delete all 2009 administrative emails. The previous day, former FPDDC Director Brett Manning returned after an extended leave. That morning, McDonald wrote to FPDDC staff person, Linda Klett, requesting her to seek permission to do so from the State: (click image to enlarge)

Nov. 4, 2011 was D-Day at the Forest Preserve. 

JRM organized a Transition Timeline with military precision to such an extreme that events were broken into five-minute increments with directions that cell phones be turned off for "full and undivided attention". McDonald and Tepper were to be called into meetings at 8:00 am and 8:05 am, respectively. "Law enforcement" was in position to escort the two IT men and to prevent any attempts to access to the system. Conspicuously omitted from the micro-management were steps to preserve evidence, create mirror images, and to adhere to a chain of custody. 

JRM Transition Timeline Nov. 4-7, 2011
(click images to enlarge)

JRM Consulting, including its subcontractor, Vince Durante, son of local GOP heavyweight and RTA Board Member Pat Durante, participated in these exit interviews. Durante was moonlighting during regular business hours from his full-time job as a technical manager at the Illinois Department of Transportation. JRM also unveiled a new subcontractor -- James Y. JRM Consulting billed 70.25 hours this day at $150 per hour.

Exit interviews took place, IT Department passwords were yielded and changed, McDonald and Tepper were locked out and escorted by law enforcement, and IT vendor Kinsey & Kinsey, Inc. was brought in to fulfill the role of management during the transition. 

The FPDDC could no longer assert that secrecy was required, that McDonald and Tepper with their "superior knowledge of computer systems" could destroy evidence, and that this taxpayer-funded investigation was about the protection of public funds. 

The Daily Herald reported later"The district acted immediately, quickly and responsibly," forest preserve district spokeswoman Sue Olafson said. "As soon as it heard there were some issues, the district took that information to the state's attorney's office."

Yet, it would be another 17 days before the State's Attorney's office would be notified. 

There was still some unfinished work.

The D-Day's Transition Timeline hit a snag: the off-site equipment belonging to Mahmood could not be seized as quickly as anticipated. Public records show that a transition agreement had to be signed by Mahmood. Cordial correspondence between former FPDDC attorney Bob Mork and Mahmood's former attorney took place between Nov. 4th - 8th in an effort to obtain the equipment.

Watchdogs look at JRM invoices and assert that the most significant events have been overlooked, occurring from the moment Mahmood's equipment was seized on Nov. 9th to the moment the JRM Report was submitted to the State's Attorney's office on Nov. 21st. 

Two years later, these twelve days could be the crux of a motion filed by Mahmood's attorney. The most crucial evidence had been destroyed.

Twelve Days in November 

Nov. 9, 2011: FPDDC executes a transition agreement under which Alamach is lead to believe they are assisting with an investigation and that equipment will be returned. FPDDC thanks Alamach for their cooperation.

According to attorney correspondence and JRM invoices, Alamach equipment containing District archives was handed over to a JRM subcontractor, Mark Broyles. Broyles bills 8.75 hours for procuring off-site equipment.

No chain of custody for this evidence of work product was included in FOIA responses. A chain of custody refers to "the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence".

The FPDDC did not alert the State's Attorney's office.

Nov. 10, 2011: JRM subcontractors appear to immediately attack server equipment with apparently no effort to preserve data or create mirror images. Stand up of DPM servers. "James Y.", a JRM subcontractor who first arrived at the FPDDC on D-Day, and Broyles each bill 9.25 hours for a total of 18.5 hours setting up a DPM servers. Broyles works an additional three hours this day updating the final report.

The FPDDC did not alert the State's Attorney's office.

Nov. 15, 2011: Forest Preserve IT Director Mark McDonald was officially terminated. McDonald had been suspended on Nov 4th "pending a full investigation." His termination less than two weeks later indicates that the "full investigation" was completed on this day.

The District's Board unanimously approve the $48,000 contract of Reverse Spin, who described themselves as political strategists in their one-page proposal submitted to the District in October. The strategists assured they would be available 24/7 for crisis communications. At the time, the District had six staff people in its public relations department. For years, Reverse Spin had close ties with the DuPage County State's Attorney's office, including its spokesperson, Paul Darrah

The FPDDC did not alert the State's Attorney's office.

Nov. 20, 2011:

On a Sunday, James Y. bills 8.5 hours for troubleshooting offline virtual servers.

The FPDDC did not alert the State's Attorney's office.

Nov. 21, 2011:

The JRM Assessment Report is completed with no substantial changes from the Oct. 30th draft version. The FPDDC submits the report to the DuPage County State's Attorney's office.

It would be nine days before the State's Attorney would open an investigation.

CountyLeaks Asks Many Questions:

Was Mahmood's equipment scrubbed on Nov. 10, 2011? If not, when was it wiped clean? Obviously before a forensics expert examined it in October 2013... Who performed this task? Was it specifically assigned?

Why was there no mention in the D-Day Transition Timeline to preserve data, to create mirror images and to observe a strict chain of custody of evidence? At least those cell phones were turned off at 8:05 am...

Is there a back-up of the back-up? 

Did some people at FPDDC fear that McDonald and Tepper knew something and would blow the whistle on them all? Can they still blow the whistle? 

Why wasn't law enforcement brought in on Day One? Why, why, why???

Isn't the reason for an internal investigation usually about damage control?

If McDonald and Tepper were considered such suspicious characters that would warrant a covert internal forensic investigation, why weren't they placed on administrative leave right away? Why allow them to continue to have access to the system for months? Is it because this was never about McDonald and Tepper?

Why wasn't the State's Attorney's office brought in on Nov. 4, 2011? There would be no substantial changes to the draft of the JRM Report to when it was submitted 17 days later. Is it because they first needed to remove the defendants' ability to defend themselves by wiping the system clean? Or more importantly, did they need to make sure that all incriminating evidence against an individual or individuals at the FPDDC had to disappear and QUICK? They couldn't risk turning the case over to the State's Attorney's office in the unlikely event there would be an order to preserve all evidence? 

Why didn't the State's Attorney's office seek an immediate order to preserve all paper and electronic data during a criminal investigation? 

Who was in charge of the IT Department from Nov 4-21? Who was the interim IT Director? Who is responsible for the destruction of records? 

Is the reason why the State's Attorney's office diminishes Mahmood's equipment being scrubbed because they know the subject is radioactive?

Again, is there a back-up of the back-up?

Was a politically-connected-rent-a-cop IT firm with no forensics licensing exactly the right people for this sensitive operation of cherry picking and data destruction?

Who is James Y and what is his expertise? Why did JRM bring him in on Nov. 4, 2011 --the original date Mahmood's equipment was to be seized? Did James Y know he was hired to mess with equipment that contained evidence for a criminal investigation and prosecution? Was James Y just a geek hired because no one working for JRM or in the IT department knew how to set up DPM servers?

As a courtesy, wouldn't it have been easier and quicker for the FPDDC to simply tell the State's Attorney's office, Patrick Collins, and Judge Fawell that JRM had been paid to scrub Mahmood's equipment in 2011, so there was no need to pay and schedule for a forensics expert to drop by? How long did this stall the IT case? This alone should explain what we're dealing with here...

So what else is being destroyed at the FPDDC as the months and years go by? 

If evidence of Mahmood's vast work product doesn't matter to the Court and the State's Attorney's office, perhaps the FPDDC's destruction of incriminating evidence will matter to the Feds?

Again, is there a back-up of the back-up?

Why did the FPDDC keep Mahmood's equipment and why is it still in use? Legal scholars, was Mahmood's equipment stolen by the FPDDC?

Should it be filed under "really?" that JRM began its covert internal forensic investigation the very day Manning began a three-month leave? When the cat's away... 

Did FPDDC Director Brett Manning's return from a personal leave on Oct. 25, 2011 have anything to do with McDonald's email the next morning about seeking permission to delete 2009 administrative emails? Who told McDonald to delete emails?

Was the FPDDC freaking out between Nov. 4-9, 2011 while they waited to obtain Mahmood's equipment? After all, it deviated from the anal Transition Timeline... What kind of sick and twisted mind came up with this timeline?

Legal scholars, does a guy who cites the Illinois Local Records Act when told to get rid of the 2009 emails strike you as someone who might pose a threat in the illegal destruction of public records? Is this the type of insubordination which gets a person fired at the Forest Preserve?

So, Reverse Spin's contract began Nov. 15, 2011? Is it possible the political strategists were slithering behind the scenes for the FPDDC weeks or months earlier, perhaps as a subcontractor for an attorney? After all, Reverse Spin had done the low crawl with defense attorney Terry Ekl during the criminal trials of McHenry County State's Attorney Lou Bianchi... Did FPDDC attorneys ever pay Reverse Spin?

Does the FPDDC IT case parallel with the Dalby IT case in McHenry County, particularly the part where a politically-connected IT firm is paid to check under the hood of Dalby's computer before anything is turned over to law enforcement? To contract Reverse Spin to put out fires before a fire had even started?

Why was Reverse Spin contracted to conduct crisis communications? Was the FPDDC in a crisis? Or would it have been more accurate to say damage control? Why does a government agency require the services of professional spinners? Isn't it a bit embarrassing for public checks to be written out to Reverse Spin?

Why did Dean Westrom suddenly "retire" 12 days after the Feb. 3, 2011 Are-all-users-on-Archiving purchase order? Why didn't Dewey present Dean with a sheet cake at a Board meeting? Why retire early from a well-paying, cushy dream job of managing golf courses -- with outstanding benefits? Why does Dean's LinkedIn page state: would like to pursue the opportunity to work for a private firm, part time

Had an individual or individuals become a liability? Did it have anything to do with the 2009 emails that needed to be urgently destroyed without permission from the State? Hmm...what event took place in 2009?

Again, is there a back-up of the back-up?

On a scale of 1 to 10, how bizarre was it for Vince Durante to take a day off from his IDOT managerial position to fix pot holes to attend personal and confidential exit interviews of McDonald and Tepper? Can McDonald and Tepper attend Vince's exit interview? Are State employees allowed to work for pay on a paid day off from a State job?

What about all the other work Vince performed for JRM on work days? Is this the reason the Chicago area is plagued with so many potholes? Are the road warriors who should be fixing them moonlighting on covert internal investigations? Ho ho, iCountyLeaks onto something big?

So why exactly was Troy Clampit hired by the FPDDC in 2011? Did he possess IT skills required in the job posting? (Oh wait a minute...there was no job posting! He just appeared on the scene... My bad..,) 

Why did the FPDDC hire Troy as a IT project analyst when he didn't even have a two-year college degree? Why did tax payers reimburse him for a college course in astronomy?

Was Troy the first politically-connected IT guy hired to snoop around at the FPDDC? How did that work out? How did Troy find time for his day job while billing so much political work at Genesis One

Did the Durante family assist Troy in attaining his new job as "senior web architect" at the RTA for $71,000 -- a $41,000 increase from when he was first hired at the FPDDC two years earlier? After all, Troy and Vince had spent quality time together on the covert internal forensic investigation, Troy had done plenty of work for DuPage County Board Chairman Dan Cronin, the Addison Township Republican Organization and DuPage County Republicans via Genesis One, and ol' man Pat Durante sits on the RTA Board... 

The job requirements for Troy's new RTA position called for a BS or MS degree and certifications, none of which Troy had. Another political hire? Did Cronin put in a good word for his campaign broker? Dewey? Did they need to take very good care of Troy?

Was Troy's application for the RTA position one month after a CountyLeaks article was published reactionary?

Is this really about IT guys or is it about something else, something worse? 

Why were the three IT guys held to higher and different standards than FPDDC executives and board members? After all, check how much has been paid for all IT contracts since the end of 2011...

Were McDonald, Tepper and Mahmood in the way?

Are the piled-on indictments a tactic to spook defendants into copping a plea? Were 317 felony indictments just not nutty enough? 

Are the 321 (and counting) felony indictments used to distract and muddy up what is really a simple story of self preservation by records destruction?

Is this case no different than one where paper records containing incriminating evidence were locked in a warehouse and someone needed those records to disappear? Could this be described as gaining access to the warehouse, seizing the records and having a bonfire the next day, then notifying authorities that the warehouse guards were paid too much and should be investigated? To gain access would be to circumvent the guards and blame them with something so everyone is too distracted to ask the right questions and to realize what really had happened? Voila -- the ultimate reverse spin?

 At what point does a lie repeated often enough become the truth?

Was this IT case never meant to go beyond perpetual investigation? Did it go forward only when the Illinois Attorney General's office forced the State's Attorney's office to show its hand? If the State's Attorney's office used a criminal investigation as the excuse to not release Alamach invoices under FOIA, then there actually had to be a case? Would this explain the lack of a bill of particulars and no injunction to preserve evidence? Just asking...

How much is this mess costing DuPage County taxpayers? How much MORE will it cost if these three defendants file a federal lawsuit against the Forest Preserve?

Now that FPDDC Financial Director Jack Hogan has been given a huge raise, will he now finally begin producing detailed monthly financial reports?